Você está na página 1de 4

PA L O A LT O N E T W O R K S : A p p - I D D a t a s h e e t

App-ID
App-ID, available exclusively on the Palo
Alto Networks next-generation firewalls,
is a patent-pending traffic classification
technology that identifies more than
700 applications, irrespective of port,
protocol, SSL encryption or evasive

Application Protocol
Detection / Decryption
Application Protocol
Decoding
Application Signature
Heuristics

characteristic.

Brings

visibility and control of


application traffic back to the IT
department

Helps

organizations understand value


and risk of each specific applications

Enables

creation and enforcement of


appropriate application usage policies

App-ID uses as many as four identification techniques to


determine the exact identity of applications flowing in and
out of the network. With App-ID delivering the identity of the
application, IT departments are able to define policies that
help regain visibility into, and control over, the applications
traversing the network.
Enterprise networks are populated with applications, both work related and
non-work related, that can evade detection. Some will masquerade themselves
as legitimate traffic, others will hop ports or sneak through the firewall using
encrypted SSL tunnels. Perfect examples of these applications are P2P, IM,
RSS, and webmail, all of which use one or more of these evasive tactics, yet
many of these applications are fully capable of providing business benefits.
In the past, unapproved or non-work related applications on the corporate
network were summarily removed or blocked. Today, the remove or block
as the default response may not be appropriate due to the widespread use
(often at the executive level) of these applications and their potential business
benefits.
A more pragmatic approach is to weigh the business impact against the
security risks. From a business perspective, will the use of the application help
attract new employees, improve the work/life balance, increase productivity
and most importantly will it generate more revenue? From a security
perspective, enterprises need to look at the data loss, privacy, productivity, and
threat implications.

PA L O A LT O N E T W O R K S : A p p - I D D a t a s h e e t

App-ID Traffic Classification Technology


To enable the use of these applications to the benefit of
the enterprise, IT departments need to know more
about them and the application identity generated by
App-ID is the first step in achieving that goal. App-ID
uses as many as four different techniques to determine
which applications are traversing the network:

Application Protocol Detection and Decryption:


App-ID identifies which application protocol is being
used (for example, HTTP). If App-ID determines that
the protocol is encrypted with SSL, it decrypts the
traffic, then passes it to other elements of App-ID for
further analysis. Once the application is identified,
and deemed acceptable by policy, threat prevention
profiles are applied, ensuring no threats sneak through
over SSL. App-ID then re-encrypts the protocol and
the traffic and sends it on its way.
Application Protocol Decoding: The application
protocol decoding in App-ID serves two purposes
- first, it enables App-ID to significantly narrow
the range of possible applications. And second,
it strips away protocols that might be used for
tunneling purposes. App-IDs protocol decoders

determine if the application is using a protocol as


a normal application transport (such as HTTP for
web browsing applications), or if it is only using
the apparent protocol to hide the real application
protocol (for example, Yahoo! Instant Messenger
might hide inside HTTP).

Application Signatures: App-ID uses contextbased signatures, which look for unique application
properties and related transaction characteristics to
correctly identify the application regardless of the
protocol and port being used.

Heuristics:In certain cases, evasive applications still


cannot be detected even through an advanced signature
analysis. In those situations, it is necessary to apply
additional heuristic, or behavioral, analysis to identify
certain applications - such as peer-to-peer or VoIP
applications that use proprietary
encryption. Heuristic analysis is
used as needed, with the other
App-ID techniques discussed
here, to provide visibility into
applications that might otherwise
elude positive identification.

Application Identity: Only Part of the Application


Control Puzzle
The identity of the application is one of several pieces of the
application visibility and control puzzle. The remaining pieces
required to make a prudent business decision on how to treat
the application include more data on what the application is,
its risk characteristics, and what technology it uses.
To enable a more prudent decision making process on how to
treat an application, Palo Alto Networks presents additional
background for more than 700 applications in an application
browser, providing fingertip access to a wealth of information.
The application browser is a powerful research tool, accessible
via the Palo Alto Networks website (www.paloaltonetworks.
com/arc) and as an integral piece of the policy management
interface. In either case, administrators can filter applications
based on category, subcategory, underlying technology, and
characteristic including their file transfer capabilities, known
vulnerabilities, ability to evade detection, propensity to
consume bandwidth, and malware transmission/propagation.
Additional application drill down details include a description
of the application, the commonly used ports and a summary
of the individual application characteristics. Once the
complete picture of the application is gained, organizations
can apply policy controls that can be tied to a specific set of
users and groups via Palo Alto Networks Active Directory
integration.

PAGE 2

Application Browser
To view more than 700 applications and their
respective characteristics, please visit the
Palo Alto Networks Application Research Center
at www.paloaltonetworks.com/arc.

PA L O A LT O N E T W O R K S : A p p - I D D a t a s h e e t

Application Characteristics
Using either the application browser on the Palo Alto Networks Application Research Center or the drill down capabilities within
the Palo Alto Networks firewalls, administrators can research applications and set security policy using the eight application
characteristics.

Application Characteristic Examples

PAGE 3

Transfers files: Able to transfer files from one network to


another.

Applications that can transfer files are spread across all five
categories and includes traditional utilities such as FTP and
TFTP as well as webmail, online filesharing applications like
Megaupload and YouSendIt.

Used by malware: Has been used to propagate malware,


initiate an attack or steal data.

Applications that are used by malware are focused mainly


in the collaboration (email, IM, etc) and general Internet
categories (file sharing, Internet utilities).

Excessive bandwidth: application consumes 1 Mbps or


more regularly through normal use.

Applications that hog bandwidth are spread across all


five categories. Examples include P2P applications
such as BitTorrent, Xunlei and DirectConnect as well as
media applications, software updates and other business
applications.

Evasive: uses a port or protocol for something other than


its intended purpose with intent to ease deployment or hide
from existing security infrastructure.

Evasive applications are spread across all five categories


with the highest representation in the collaboration and
general Internet categories.

Widely used: has seen widespread deployment.

Applications that are widely used are spread across all five
categories.

Vulnerabilities: application has had known vulnerabilities.

Applications that have had known vulnerabilities are


distributed across all five categories.

Prone to misuse: used for nefarious purposes or is easily


configured to expose more than intended.

Applications that are prone to misuse are primarily in the


general Internet and networking categories. Examples
include SOCKS, as well as newer applications such as
DropBoks, AppleJuice and NEOnet.

Tunnels other applications: able to transport other


applications .

Applications are focused mainly in the networking and


collaboration categories including SSH and SSL as well as
Hopster, TOR and RTSP, RTMPT.

PA L O A LT O N E T W O R K S : A p p - I D D a t a s h e e t

Application Categories
The application browser enables flexible searching and filtering of more than 700 applications using the five main categories and
the associated 25 subcategories.

Category
Business






Subcategory Examples

Authentication services
Database
ERP
General
Management
Office programs
Software updates
Storage/backup

LDAP, Active Directory, Radius


Oracle, Sybase, MySQL
SalesForce.com, Siebel
SOAP, Corba, and SharePoint
MS-Scheduler, Altiris, SAP
Meeting-Maker, Google Calendar, NFS
MS-Update, WebSense, TrendMicro
Mozy, iBackup, RSYNCH

General Internet

File sharing
Internet utilities

Megaupload, YouSendIt, Xunlei, FTP


Finger, RSS, Blog-posting

Collaboration
Email

Instant Messaging

Internet conferencing

Social networking

VoIP-video

Web-posting

Outlook Web, SMTP, Yahoo-Mail, Gmail


IRC, MSN, Yahoo-IM
Live Meeting, Webex, Elluminate
MySpace, Facebook, Spark
SIP, H.323, Skype, Yahoo-Voice
JotSpot, Zoho, SocialText

Media
Audio-streaming
Live365, iTunes, Pandora, XM-Radio

Gaming
SubSpace, Pokerstars, PartyPoker

Photo-video
SopCast, VeohTV, MetaCafe, YouTube

Networking




Encrypted tunnel
Infrastructure
IP-protocol
Proxy
Remote-access
Routing

Palo Alto Networks


232 E. Java Drive
Sunnyvale, CA. 94089
Sales 866.207.0077
www.paloaltonetworks.com

SSL, SSH, Swipe, TOR


RPC, DHCP, SSDP
ICMP, Xnet, GGP, EitherIP
SOCKS, CGIProxy, ByPassThat, HTTP-Proxy
Telnet, Citrix, MS-RDP
RIP, GRE, IDRP

Copyright 2008, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS,
FlashMatch, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. in the United States. All specifications are
subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or
for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer,
or otherwise revise this publication without notice.

Você também pode gostar